News and analysis of critical issues in homeland security

March 27, 2006

The Center for Strategic and International Studies (my erstwhile employer) held an event this morning to release a report entitled “Open Source Information: The Missing Dimension of Intelligence.” The report looks at the role of open-source information and considers the potential utility of a “trusted information network” of non-governmental experts as a tool for collaborative intelligence analysis.

The report’s key findings include:

Government counterterrorism and intelligence collection methods cannot be properly applied without the understanding and calibration that open source information and nongovernmental expertise can provide. Open source information, broadly construed, will be at least as important in the world’s counterterror efforts as secret intelligence was during the Cold War.

There remains a failure to recognize that the new, unbounded forces of international terrorism represent a different threat environment, one that requires a major focus on open source collection to complement the rare but highly valuable insight derived from covert collection.

The effort to engage open source, nongovernmental expertise across borders is not meant to supply actionable intelligence that identifies a particular terorrist on a certain street, but instead to share information and knowledge about the terrorist and his/her environment.

Many in the intelligence community are well aware of the value of open source information and the universe of experts outside of the classified world, but there is no comprehensive program to exploit this talent. Outside experts are most often engaged and consulted on a one-off basis, rather than as core, central participants in the intelligence process.

Unlike during the Cold War, much of the value added information or “intelligence” on today’s threat resides in foreign language databases and in foreign minds. The United States does not have reliable access to either.

The project team that wrote the report also launched a prototype “trusted information network” today, bringing together relevant experts to conduct open-source analysis of the European jihadist threat. This open-source intelligence analysis model is also very relevant to domestic homeland security, and there has been a lot of movement on the issue of enhancing DHS’s open-source capabilities in the last few weeks. Rep. Rob Simmons (R-CT) and Rep. Zoe Lofgren (D-CA) dropped a bill last week to instruct DHS to utilize open-source intelligence, and Sec. Chertoff discussed the role of open-source during Q&A at a hearing last month:

I will say in general, I believe in open source. I think Charlie Allen believes in open source. We have put more money in general into the category of intelligence and operations. I know I am limited in what I am allowed to say, but I can tell you we do want to make sure we have adequate resources to pursue open source, as well as other kinds of analytic intelligence.

I haven’t been writing about the Moussaoui trial on this site, primarily because I have no legal background, but today’s proceedings are nothing short of astounding. From the Post:

Zacarias Moussaoui testified in an Alexandria courtroom this morning that he was tapped by Osama bin Laden to hijack a plane and fly it into the White House as part of the terrorist attacks that claimed nearly 3,000 lives on Sept. 11, 2001.

Testifying at his own death-penalty trial, over the objections of his attorneys, Moussaoui said he had not known the precise date the attacks were to take place, but that he knew they would involve the White House, the World Trade Center and other targets.

He said he was supposed to head a five-man crew that also would have included Richard Reid, a British citizen who tried to set off explosives in his shoes aboard a transatlantic flight two months after the Sept. 11 attacks….

Questioned by defense lawyer Gerald Zerkin for less than 30 minutes, Moussaoui was asked: “Were you scheduled to be a pilot in the operation that was to be run on Sept. 11, 2001?”

He replied: “Yes. I was supposed to pilot a plane to hit the White House. I only knew about the two planes of the World Trade Center in addition to my own plane.”

Wow. There’s a chance that he’s lying to inflate his own importance in the al-Qaeda lore, but if this is true, it adds a whole new dimension to our understanding of 9/11.

The DHS privacy office has published the Privacy Impact Assessment for DHS’s agreement with Dubai Ports World (at the time when DPW was still pursuing the acquisition) related to the Department’s ability to screen P&O’s US-based employees to assess their terror risk and be able to uncover an insider threat. The document discloses the terms of this DHS-imposed condition in greater depth than has been publicly disclosed to date:

TSA will collect the name, job title, date of birth, and social security number, as well as alien registration number if applicable, from P&O NA for all of its employees operating in the United States. Individuals will be compared to watch list information held by the Terrorist Screening Center in the Terrorist Screening Database (TSDB) and will be checked for immigration status. In the event an individual is identified as a security threat, a redress process will be available. This process will entail the collection of additional information about the individual in order to resolve any issues regarding misidentification. The additional information sought will vary based on the reasons for any misidentification. The redress process is more fully explained in section 7.2 below.

The importance of this document is now largely historical, but it provides an interesting window into vetting processes for people working in high-risk positions. For more information on the Privacy Impact Assessment process, see this page on the DHS Privacy Office’s website, which contains a full collection of PIA’s.

After reading the notice, it seems like this new committee is intended to be much more than a talk shop. The notice lists 28 private sector entities and 42 public sector entities who will be members of the CIPAC at inception; given this size and scope, I imagine that the committee is not going to be driven by blather-filled quarterly meetings. Rather, my sense is that DHS intends to use the CIPAC as a “secure channel” for a continuous conversation with industry about critical infrastructure vulnerabilities and needs. The challenge that they will face is balancing the legitimate need to protect sensitive information about vulnerabilities with two equally important needs: (1) keeping the owners of critical infrastructure publicly accountable for their actions (or lack thereof); and (2) informing the broad set of stakeholders about relevant intelligence (which often becomes more difficult when transparency decreases).

The railways transport more than 1.7 million shipments of hazardous materials every year, including 100,000 tank cars filled with toxic gases like chlorine and anhydrous ammonia.

According to a recent study by the Navy, an accident or terrorist attack involving a single car of chlorine near a densely populated area could kill as many as 100,000 people.

In New Jersey, where so many chemical factories and refineries are crowded near major population centers, including a stretch near Newark Liberty International Airport that has been called “the most dangerous two miles in America,” the difficulty of managing that potentially deadly cargo is particularly complex.

Since 9/11, railroads have spent millions to install fences and security cameras and add additional officers around the state, but industry officials concede that their facilities are far too large to be completely sealed. Leaders of railroad workers’ unions say it is not uncommon for tanker cars to be left unattended for days, and that security along the rails is frighteningly inadequate. And the sight of graffiti-covered tank cars filled with deadly gases is a reminder of the holes in the security system.

I agree with the Association of American Railroads’ assertion in the article that they have taken steps to address rail security issues – by every account I’ve heard, they have been much more proactive than other industries at improving their own security. But when I read passages like this one below, it’s clear that DHS and other relevant government agencies need a greater sense of urgency about improving rail security:

“Chemical transport is clearly the greatest vulnerability in the country today, and for some reason â€” and I’m not sure what it is â€” the federal government has not acted,” said Richard A. Falkenrath, President Bush’s former deputy homeland security adviser. “There’s no legislation necessary, the government already has the authority to require stronger containers, reroute shipments, and allow the kind of tracking that would allow local police agencies to know what they have to contend with in their communities. But to date it hasn’t been done.”

March 24, 2006

Below is a list of homeland security policy events in the DC area next week. I post a list each week and will sometimes update mid-week when I find new items. You can always find current and previous postings under the â€œEventsâ€ category tab at right. And please note that many events require prior invitations and/or RSVPs.

The publication Government Computer Newshas an excellent story in its latest issue on the the government’s efforts to track and interdict terrorists’ financial activities:

When a suburban Virginia resident began transferring money to Taliban-controlled Afghanistan immediately after Sept. 11, 2001, federal agents took notice, and began tracking the pattern and destinations of his wire transfers.

Last year, the man, Rahim Bariek, was convicted of receiving and transferringâ€”without a licenseâ€”about $5 million to Iran, Pakistan and Afghanistan, said IRS-Criminal Investigation officials.

Investigators couldnâ€™t have broken this case, or other similar ones, without robust applications that analyze trends and patterns in large amounts of financial data. The type of data agencies require from banks and other financial institutions under the Bank Secrecy Act hasnâ€™t changed, but the volume has increased because Congress has required more industries to provide information.

Investigating agencies, such as the Treasury Departmentâ€™s Financial Crimes Enforcement Network and IRS-CI, use analytic software that can dig deeper and more broadly through the sea of data to discern patterns of money laundering and terror financing.

Like a digital bloodhound, analytic software picks up trails of data left by money launderers and terrorism financiers in their transactions. The financial activities may appear lawful until analysts combine that information with other data.

The article goes on to describe some of the analytical tools that the key government agencies are using to track terrorism finance. Overall, an interesting piece on an ofter overlooked element of homeland security. For more on this issue, see the links at these previous posts.

Based on what the article says, the only thing that troubles me about this is the no-bid contract. Hutchison Whampoa, through its port terminal subsidiary, has probably been the most-forward leaning company in the world in investing its own money in port security. Next week Sec. Chertoff is visiting the Port of Hong Kong to see their best-in-the-world container screening system. Who made a large share of the investment in that system? Hutchison Whampoa. Here’s a quote from congressional testimony by Steve Flynn earlier this month:

Hutchisonâ€™s chief executive, John Meredith, is an outspoken advocate for improving container security and has championed the Hong Kong pilot program, which runs in one of its terminals. His enthusiasm for the project is shared by Sean Kelly, a U.S. citizen who is currently the Managing Director of Modern Terminals in Hong Kong where the second pilot has been running.

Anyone who is trying to tar this deal as inherently bad for security has not done their homework.

The article also quotes Al Santoli, a former aide to Rep. Dana Rohrabacher – who has been after Hutchison Whampoa back to the time of the late 90′s controversy over their management of the Panama Canal – over the fact that U.S. officials wouldn’t be on the ground at the port, overseeing operations. Santoli also hasn’t done his homework, evidently. According to this page on the US Embassy website, CBP already has 20 employees in Freeport, Bahamas doing customs pre-clearance work. And it’s perfectly capable of carrying out container targeting and selection in northern Virginia at the National Targeting Center, as is the case with all other foreign ports.

On the topic of aviation security, he discussed the false positive problem with government watch lists, and suggested that one solution would be additional disclosure of information by travelers, singling out a person’s date of birth, address, and social security number as examples of new data requirements. He conceded that it would be difficult to mandate these disclosures due to privacy issues, but thought that most people would think this would be a fair tradeoff between the risk of being selected for secondary screening. (I think this idea makes sense in principle, but the decisions about what types of data to require should be made cautiously. Asking for someone’s date-of-birth sounds fine; asking for someone’s social security number sounds like a bad idea.)

He also talked about the need for a greater role for behavior detection in aviation security, and told a story about a Jordanian man who was denied entry into the United States by CBP inspectors in 2003 as a result of suspicions based upon behavioral screening. That same person who was denied entry turned out to be a suicide bomber in Iraq in 2005, where he carried out a bombing that killed 132 people. (See this MSNBC story for background on this example).

He noted that two points of emphasis in his meetings with Chinese officials next week would be the repatriation of illegal immigrants and strengthening joint efforts to crack down on Chinese human smuggling rings.

The webcast stopped working during the Q&A….hopefully they’ll have a transcript up soon.

Jim Carafano at the Heritage Foundation has published a memorandum this week entitled “America Needs a Security Strategy for Safer Skies” which makes the case that the United States needs an “air security strategy,” similar to the same way that HSPD-13 led to the development of the National Strategy for Maritime Security. This concept of “air security” includes but is broader than aviation security; it also encompasses airspace protection and control, and missile defense.

Carafano argues that the strategy should address five key priorities:

Passenger screening

Shoulder-fired missile (MANPAD) threats

Domestic air security investment

Theater cruise and missile defense

A reasonable role for the private sector

I agree strongly that it makes sense for the federal government to develop a “national strategy for air security.” And I concur with many of the points in the memorandum, in particular the need for better intelligence-sharing with the private sector in this domain, and the idea that airspace security should become the primary responsibility of the Coast Guard and Customs and Border Protection, instead of DOD (although I think there’s still a role for the Air Force and Navy in the actual interception of hostile aircraft.)

I also think it’s reasonable to develop a strategy for the domestic deployment of theater missile defense (TMD) systems, but I don’t think that DHS needs its own TMD capability: DOD’s TMD assets should be leveraged for the homeland defense mission. One area where I disagree is on counter-MANPAD systems. It was appropriate to develop prototype systems (as DHS has done) but I don’t think that the deployment of these systems is the best use of homeland security resources right now.

And on the topic of passenger screening, I’m not sure what Carafano means when he writes:

If 10 years from now the United States is still physically screening airline passengers, something will have gone terribly wrong. The United States should commit to becoming a global leader in developing an alternative security screening program that does not require 100 percent physical screening.

If there’s some silver bullet solution to aviation screening on the horizon, I haven’t heard about it yet. I think we need new layers of security in the system (e.g. stronger intelligence, behavior detection, more advanced detection tools) but having new layers doesn’t automatically mean that it’s safe to move away from 100% screening. I think it’s a laudable goal to find ways to move away from total screening and reduce costs, but I’m pessimistic about finding ways to do that, unless we perhaps go with Tom Friedman’s immodest proposal.

Overall though, an interesting memo that puts forward some good ideas that should be debated and considered.

The report provides the context for three issues that Congress could decide to take up:

Should DHS certify state and urban area emergency operations and homeland security plans as a condition of assistance?

Should DHS require specific activities to be part of state and urban area homeland security plans?

Should DHS require and administer state and urban area homeland security exercises?

My initial reaction to these policy questions is that Congress should be careful about establishing strict mandates, since states face varying degrees of terror threats and heterogenous natural disaster risks. If Congress mandates too many activities, that could leave states with insufficient discretionary funds to be able to carry out other activities that are relevant to their distinct needs.

I agree with Schneier’s positive assessment of the report. The steps that are defined in the framework provide a solid analytical roadmap for looking at programs where privacy and security come into conflict.

But resolving these issues is easier said that done. The report describes the final “recommendation” decision accordingly:

Should the program proceed? Do the benefits of the program described in Step 3 justify the costs to privacy interests described in Step 4?

Any attempt to calculate the tradeoffs between security and privacy is inherently difficult, due to the subjectivity of any methodology to place a tangible price on either interest. And people will always place widely diverging values on security and privacy – what looks like a good trade-off to me might not seem all that hot to you.

Even if the right framework is in place, I think there’s always going to be this “political economy” problem in the privacy vs. security debate. But an open civic discussion of these issues based on solid frameworks such as this one can smooth out the rough edges of this debate.

“These results show that New Yorkers strongly support a missile defense system as an important part of homeland security and public safety,” said Ellison, who founded MDAA in 2002. “It is clear that New Yorkers are aware of the threat and see missile defense as an additional solution along with diplomacy and international treaties to negate the proliferation of missiles that can carry weapons of mass destruction.”

Do you think the United States should or should not have a missile defense system with the ability to protect the United States from an attack by missiles that might contain nuclear, chemical or biological weapons? [WITH INTENSITY] And do you feel that way strongly or not?

This survey question is deeply flawed, in two key ways.

First, why the hell would anyone put biological weapons on a ballistic missile? That’s the most costly and least effective means that I can think of to carry out a biological attack. The biological material would probably be destroyed on impact. Chemical weapons aren’t much better. Basically, this threat is a nuclear one – and by throwing biological weapons and chemical weapons into the mix, the survey question misleadingly heightens the respondents’ fear of the threat.

Second, nowhere in the survey does it explain to the respondents about alternative means of delivery for nuclear, chemical or biological weapons….implying that delivery by missile is the most likely option. But nuclear weapons could enter the country via a seaborne cargo container or smuggled across a land border. Biological weapons could be smuggled into the United States in someone’s carry-on luggage. Both chemical and biological weapons can be manufactured domestically with varying levels of ease. By not presenting the people being surveyed with a full picture of the possible means of acquisition and delivery, the poll gives a false impression that this is the primary threat, which people (quite correctly) will want to stop.

There is a real missile threat to the United States, primarily from North Korea. But it needs to be carefully weighed against other threats to U.S. national security on the basis of threat, vulnerability, and consequence in a way that allows honest, risk-based decisions about homeland security and defense priorities.

Janet Hale announced today her intention to resign as Under Secretary for Management at the Department of Homeland Security, effective in early May. She is a pioneer in the department and has led the merger of core management and budget functions of 22 distinct components into a unified structure that is based in discipline and integrity.

Janetâ€™s remarkable dedication to this department has led the way for a 21st Century human resource system, fully integrated information technology architecture, a financial management structure with accountability, and a successful strategic procurement program.

I commend her for the immense sacrifices she made to meet the extraordinary demands of her position, and I thank Janet for her great service to our country and lasting contributions to this department.

The LA Times ran an editorial piece late last week by Colin Hanna, proprietor of the website weneedafence.com, making the economic case that putting a physical fence along the southern border would be a cheaper option than creating a “virtual fence” using technology and an expanded Border Patrol:

To the extent that a virtual fence could be deployed, it would require at least 150,000 border agents â€” four shifts of 15 patrol agents per mile plus support personnel â€” to effectively apprehend the illegal aliens detected by cameras, motion sensors, drones and heat sensors. This is extremely impractical and cost prohibitive; we currently have only 11,000 active border agents.

The virtual fence option would only track â€” not prevent â€” illegal immigrants from entering the country. Even if we could apprehend a great number of them, that would put into motion an expensive deportation process, with taxpayers footing the bill.

The construction of a secure physical barrier along the southern border of the U.S. is an absolutely necessary component to any truly comprehensive immigration reform bill.

The estimate of a need for 150,000 agents with a virtual fence is a bit of hyperbole, but other than that, Hanna’s logic is sound. A comprehensive US-Mexico border fence should cost somewhere around $6 billion ($3 million/mile) with competitive bidding, using the Israeli wall as a comparable project in terms of price. (It shouldn’t have to cost as much as the San Diego border fence, given that the terrain that is much more rural and flat. If it does, then something’s wrong). Let’s assume it would then require $250 million/year in maintenance.

On the other side of the balance sheet, DHS has requested $2.4 billion for “Border Security between the Points-of-Entry” in FY 2007, most of which is for the Border Patrol – a 50% increase from FY 2005. This increase follows a decision by Congress in 2004 to authorize a doubling of the size of the Border Patrol over five years; after completing this process, the Border Patrol’s budget will have increased by at least $1.7 billion/year.

But if the government built a fence, it likely would no longer have a rationale to double the size of the Border Patrol, and this $1.7 billion/year increase could be rolled back and used to offset the new costs of a fence. The Border Patrol would still be needed to interdict people trying to jump or circumvent the fence, but it would no longer require large budget increases. Netting out other relevant factors, the payback period on a border fence is therefore approx. four years.

I still have a visceral dislike of the idea of a border fence, and I think any bill that includes a comprehensive fence needs to also include some kind of temporary worker program. But I have to admit that from an fiscal perspective, it’s quite likely that a fence would be a cost-saving response to the challenge of southern border security.